Project summary

Based on the "Do you really want Bank Grade security?" post, I've decided to test the two banks I'm actively using, and see just how secure their TLS configuration is. After being rather disappointed with the results – even though I went in with lowered expectations – I've decided to embark on a journey to test all the banks and see if any of them score better. Since manually doing this was time-consuming and rather boring, I wrote a Python script to run the tests via the Qualys SSL Labs API and fetch/export the results into a format I can easily paste into the spreadsheet.

It should be noted that this project only tests accepted protocols, chipers, other properties and known vulnerabilities in the TLS server. It does NOT take it any further and evaluate the security of the web application – such as CSRF/XSS/SQLi and other similar-sounding fancy acronyms – as those could be interpreted as actual attacks and would be highly illegal. The information being evaluated in this project all come from the TLS handshake made with the server, nothing nasty involved.

Usage

To use the script, open scan.py and edit the global variables in order to configure it. Out-of-the-box it comes with a list loosely based on Wikipedia's Romanian banks ordered by their assets article.

After configuration, you can start the scan by running scan.py start. By default, the public API allows you to run 25 assessments simultaneously, so make sure to keep the list of hostnames under 25.

You can check in on the progress by running scan.py info, which will print the number of assessments still running that have been started by the script. When you see 0/25 it means all the assessments have finished, and you can either start the next batch of 25 or collect the results.

To collect the results, run scan.py collect [file] which will fetch the assessment results and print it in a tabulated fashion, which you can paste into Google Sheets.

In Google Sheets, you can set up rules for Conditional Formatting in order to automatically color the "Pass"/"Fail" cells and the grades.

Test Results

I will try to update the spreadsheet above monthly, unless there was no change from last month's results. It should be interesting to see how their security evolves over time, and especially, how fast do banks react to patching 0-day TLS vulnerabilities, if they do at all.

I made the first manual tests on May 16th and repeated them on June 18th. BT, ING and Raiffeisen went from their B/B/C grades respectively to A-, which was a pleasant surprise.

The bad:

Some banks really don't like changing their SSL setup, even if a major vulnerabilty knocks on their door, as two of them are still vulnerable to the POODLE attack as of June 29th, granting them the F grade.

Some banks really fucked up. As of June 29th, three banks all have their login forms on HTTP, and some of them even POST to HTTP and only then redirect to HTTPS. Their grades are forced to F, regardless of their actual TLS setup, until they fix it.